On Wed, 8 Feb 2017 22:07:24 +0100 Michael Niedermayer <mich...@niedermayer.cc> wrote:
> Hi all > > On Sat, Aug 08, 2015 at 03:51:11AM +0200, Michael Niedermayer wrote: > > On Fri, Aug 07, 2015 at 07:46:55PM -0400, compn wrote: > > > hello, > > > > > > some of you know that we have a list for security / CVE issues. > > > some of you did not know this. > > > > > > i think it is a private list due to not wanting people to make exploits > > > before we have a chance to fix them. of course, if no one is subscribed > > > to review/fix issues then they will never get fixed. > > > > > > so if you are a regular developer who wants access to this list, please > > > speak up. > > > > > > i do not run nor admin the security email/list (nor do i know who does) > > > so please dont ask me questions about it. > > > > I guess, i "de facto" admin the security "email/list". > > if someone wants to help with security issues, mail me > > > > but there are no open security issues and if there was one i very > > likely would fix it ASAP > > A small update due to never? before seen interrest in ffmpeg-security > in the recent weeks/months > > How to get on the ffmpeg-security "list" > > People working on security in FFmpeg, thats maybe fixing many coverity > issues, backporingt fixes to releases, maintaining FFmpeg releases, ... > have an obsession with fixing bugs about undefined behavior or bugs > about crashes and race conditions on trac. Or an obsession with testing > every bugfix and who want and need access to ffmpeg-security should > be on ffmpeg-security > In short people on ffmpeg-security should need to be on ffmpeg-security > If you fall in this kind of category, please mail me > > Or someone who reviews commits and obtains CVE#s for everything that > could be exploitable ... > > I dont think we should give access to ffmpeg-security to everyone who > wants to be on the list. This is of course something the community > has to decide and not me, iam just err-ing on the safe side and am very > restrictive on who is added. > > About the content i must warn you the list is really not very > interresting as in trying to find together with debian someone at > chromium who knows what the CVEs they registered about FFmpeg actually > are about ... and then it embarassingly is a patch on ffmpeg-devel > that is stuck in review and not applied and now i can redo the releases ... > ... Where are the people caring about security ? why did they not > pick these 2 public patches up, change what they felt needs changing > and pushed them ? > and there are the fuzz samples that need more than 20sec, these are > the main type of reported issue recently after ive succeeded to stop > the oom kind. > > Also there are no open security(*) issues i know of, and if there would > be i likely would fix them ASAP. Not saying that help is unwelcome > or that its impossible for me to make a mistake or miss something ... > > (*) I assume here that fuzz samples taking more than 20sec or integer > overflows in DSP code arent security issues. Iam working on fixing > these too but for this category there are open issues. > > PS: If you want access to the oss-fuzz reports, they all seem > automatically public 7 days after being fixed > > [...] > I'd like to get on the ffmpeg-security mailing list to review patches. I've asked multiple times, but never received an answer. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel